Re: How to deny user changing his own password?
| От | Network Administrator |
|---|---|
| Тема | Re: How to deny user changing his own password? |
| Дата | |
| Msg-id | 1054238055.3ed665674f8a5@webmail.vcsn.com обсуждение исходный текст |
| Ответ на | Re: How to deny user changing his own password? (nolan@celery.tssi.com) |
| Список | pgsql-general |
I was actually thinking the same thing. Typically the use for a web user runs a system user with minimalistic permissions on the other hand, the **database** user that any CGI scripts connect to the database as need permissions to the database resources- two entirely different things. Unless you choose to have different DB user for each application with a web interface, you might be faced with a serious problem if the DB user's account password gets changed since that DB user's account is effectively used for several applications. Quoting nolan@celery.tssi.com: > > This is the second worst possible reason I can imagine for a feature > > like this. Passwords coded into the frontend ... gosh! > > Depending on the application, coding a password into the front end can > be a necessary condition. Think of a PHP web page script that makes > database calls. How are you going to prevent other unauthorized > connections from that system? Passwords aren't a perfect security > device, but they're generally better than no password. > > I could see some merit to a 'LOCK' option on the alter user command, so that > > the password can only be changed by a superuser. > -- > Mike Nolan > > ---------------------------(end of broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/docs/faqs/FAQ.html > -- Keith C. Perry Director of Networks & Applications VCSN, Inc. http://vcsn.com ____________________________________ This email account is being host by: VCSN, Inc : http://vcsn.com
В списке pgsql-general по дате отправления: